Management's Annual Report on Internal Control Over Financial Reporting

By Ron Kral, Partner of Kral Ussery LLC

Now is a great time to revisit internal control over financial reporting (ICFR) disclosures since public companies with fiscal years ending in December will be concluding soon upon their ICFR effectiveness. Management, especially the certifying officers, must fully understand the 10-K disclosure report entitled Management's Annual Report on Internal Control Over Financial Reporting (Annual Report on ICFR). This report involves much more than simply fulfilling a disclosure requirement through ‘boiler-plate’ language. Failure to follow the underlying requirements can lead to harsh regulatory actions. Are you comfortable with the documentation requirements, including use of a framework and properly concluding on the severity of deficiencies? This article cites U.S. Securities and Exchange Commission (SEC) guidance, as well as an enforcement case, to help answer this question.

For private companies and non-profit organization not subject to SEC requirements, defining and assessing controls is simply a sound business exercise regardless of regulatory compliance considerations. Refer to my previous article entitled “Controls” Is Not a Dirty Word for additional insights.

While those directly involved with the SEC periodic reporting process maybe well-versed with the Annual Report on ICFR requirements, others may not. This is especially true for people outside the finance department, such as information technology (IT), human resources (HR), operations, and yes – even the CEO in some cases. To realize an effective ICFR evaluation process, it is important for everyone involved to have a clear understanding of the requirements and their roles. Correctly applying the required framework, such as COSO’s Internal Control – Integrated Framework, greatly helps in shaping accountabilities, but challenges still lurk. Here are some common questions this article addresses:

• What is the purpose of the evaluation of ICFR?

  • Since this is primarily the responsibility of financial reporting personnel, why should I care?

  • What are the requirements for the Annual Report on ICFR?

  • What is the difference between an evaluation and an assessment?

  • What is involved with using a framework for evaluating ICFR?

  • Who should conclude on the assessment of ICFR?

  • What are the documentation requirements?

Let’s first address the initial two questions before moving onto the requirements. According to SEC’s Release #33-8810 & #34-55929 (Interpretive Release):

The Interpretive Release provides guidance for management in evaluating and assessing ICFR. Although dating back to 2007, this is a release that should be periodically revisited by management of all public companies. Too many times I see management referencing Public Company Accounting Oversight Board (PCAOB) criteria, which is intended for public company auditors rather than the companies themselves. The concepts of reasonable judgment, scalability, and risk are central themes. Additionally, the Interpretive Release advocates a top-down, risk-based approach to identify risks and controls, and in determining evidential matter necessary to support the assessment. This approach explicitly includes IT general controls and entity-level controls , which encompasses a wide range of employees from multiple departments.

A company’s culture, as well as its process for attracting, developing, and retaining employees, are examples of entity-level control areas that have a pervasive effect on financial reporting objectives and thus need to be considered in the ICFR evaluation process. Hence, this is not simply an exercise of the CFO and controllership functions, but rather involves the inputs and efforts of many people. Refer to footnote #2 to better understand the definition of entity-level controls and the different roles impacting ICFR.

The scoping matter of IT controls deserves further attention since there is often an ongoing debate between the IT department, the controllership function, and auditors on this topic. IT general controls and software application controls may be relevant to the ICFR evaluation, but this varies widely depending on the company’s technology infrastructure and ultimate uses of the technology. SEC’s Interpretive Release states that “management only needs to evaluate those IT general controls that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks.”  There is a lot of judgment that factors into this, but ultimately if the IT infrastructure or software is relevant to addressing financial reporting risks, either directly or indirectly through other financial reporting controls, it should be considered for scoping purposes.  

There are four disclosure requirements to the Annual Report on ICFR  as follows:

1. A statement of management's responsibility for establishing and maintaining adequate ICFR for the registrant;

2. A statement identifying the framework  used by management to evaluate  the effectiveness of the registrant's ICFR;

3. Management's assessment  of the effectiveness of the registrant's ICFR as of the end of the registrant's most recent fiscal year, including a statement as to whether or not ICFR is effective. This discussion must include disclosure of any material weakness in the registrant's internal control over financial reporting identified by management. Management is not permitted to conclude that the registrant's ICFR is effective if there are one or more material weaknesses in the registrant's ICFR; and

4. If the registrant is an accelerated filer or a large accelerated filer, or otherwise includes in its annual report a registered public accounting firm’s attestation report on ICFR, a statement that the registered public accounting firm that audited the financial statements has issued an attestation report on the registrant’s ICFR.

The first disclosure requirement is simply an affirmation of management’s responsibility for ICFR. Management is led by the CEO and CFO (or persons performing similar functions), otherwise known as the ‘certifying officers’ since they must also sign-off on these responsibilities through Exhibit 31 of the 10-K. Long gone are the days of the CEO being able to plead ignorance of ICFR thanks to this requirement.

The fourth requirement is also straight-forward in disclosing in the 10-K filings, as applicable, that the external auditor has issued an audit report on the effectiveness of ICFR. This is not a requirement for all SEC registrants, but is for many accelerated filers (all except emerging growth companies as defined by the SEC) and all large accelerated filers.

Since the first and fourth disclosure requirements of the Annual Report on ICFR are easy to grasp, it is the second and third requirements that warrant the most attention in terms of an underlying process.

The Internal Control – Integrated Framework, published by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), is by far the most common framework used by SEC registrants for evaluating ICFR (COSO Framework). This does not mean that the COSO Framework is the only option, as the SEC mentions other control frameworks  that they consider suitable. 

The important take-away is that management must disclose the framework they use to evaluate the effectiveness of ICFR and “must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the registrant’s internal control over financial reporting.”  This means that you need evidence to support utilizing the COSO Framework in the evaluation process unless another framework is cited in the Annual Report on ICFR, in which case there must be evidence of the framework used.

Simply referencing a framework in the Annual Report on ICFR is not sufficient as there must be evidence of how relevant facets of the framework were utilized. For the COSO Framework, this means that all five components and 17 principles must be concluded upon unless a principle is not deemed relevant (refer to my previous article entitled Implementing COSO’s 2013 Framework for more details). Understand that the 17 principles are usually owned by several different departments, such as IT with principles #11 and #13. Finally, keep in mind that the COSO Framework is a powerful tool for achieving operating, compliance, and other reporting objectives beyond the Annual Report on ICFR. Look beyond pure compliance to best maximize shareholder value. 

The internal audit function should be an integral part of the ICFR evaluation process. However, it is ultimately management’s responsibility, as led by the CEO and CFO, to conclude on their assessment. This was made very clear through an SEC enforcement action against Magnum Hunter Resources Corporation (MHR) in 2016.  The following four CPAs were penalized in this case, including fines and cease and desist orders:

  • MHR’s Chief Financial Officer 

  • MHR’s Chief Accounting Officer

  • Former partner at the public accounting firm who was responsible for providing MHR’s external auditing services 

  • A partner at a public accounting firm responsible for the engagement to provide Sarbanes-Oxley Act of 2002 (“SOX”) consulting and internal auditing services to MHR

To summarize this enforcement action, MHR engaged an internal auditor to assist management with the documentation, testing, and evaluation of the company’s ICFR. The internal auditor concluded that a significant deficiency existed due to inadequate and inappropriately aligned staffing. Specifically, the internal auditor’s report stated that “the potential for error in such a compressed work environment presents substantial risk,”  yet cited the staffing deficiency as only a significant deficiency rather than a material weakness without explanation. The external auditor and MHR management accepted the assessment that MHR’s insufficient accounting staffing represented a significant deficiency. Thus, MHR concluded that its ICFR was effective since they did not report a material weakness in its 10-K filing. Additionally, management did not prepare any documentary evidence to supplement the documentation created by the internal auditor. The failures to properly conclude on the severity of an ICFR deficiency, as well as maintaining documentation in support of management’s assessment, were cited in the enforcement action. Also cited was the external auditor’s failure to adequately document the basis of their conclusion in accordance with PCAOB standards.

While the judgments on the severity of the deficiency were obviously questionable in the MHR case, the fact that there was not adequate documentation from the internal auditor, management, or external auditor is likely what sealed their fates. In practice, professional judgments will vary as not everyone will necessarily come to the same conclusion. However, you should always have the supporting reasons behind important conclusions fully documented to best protect yourself and your employer. Consider the Annual Report on ICFR as one of these important conclusions. Ultimately, it is management’s call on concluding if any material weaknesses in ICFR exist as of the end of the fiscal year, not their auditors.

SEC enforcers continue to investigate and prosecute a broader range of ICFR violations, thus raising the stakes for certifying officers and others involved in the financial reporting process. It is important to understand the regulatory requirements through ongoing training and seek answers when in doubt. Remember that management must retain their own documentation to support their assessment. The internal audit function can be an integral part of the ICFR evaluation process, however, the certifying officers must understand the definition of a material weakness themselves and retain their own documentation in support of the ICFR assessment. It is management, led by the certifying officers, who owns the Annual Report on ICFR.

While it is true that the language of the Annual Report on ICFR seldom changes from year-to-year, the evaluation process in concluding on the effectiveness of ICFR must be dynamic to address a myriad of changes, such as new accounting standards, evolving risks, merger and acquisition transactions, new personnel, operating environments, etc. Don’t underestimate the ICFR evaluation effort.